On 2/24/22 1:44 PM, Jay Hennigan via mailop wrote:
Assuming that your home connection is typical residential broadband, consider a split system. Host your receiving SMTP at home with a dynamic DNS tracker to keep the MX pointed at your dynamic residential IP and use this for inbound mail to you.
I agree that inbound to a dynamic IP is somewhere between quite possible and trivial.
What I'm not quite sure of is why have inbound come directly to the dynamic IP as opposed to passing through the VPS / VPN. As in what benefits do you think it would provide that outweigh inbound going to the VPS / VPN directly?
Because sending mail from a dynamic residential IP is going to be problematic, use a VPS or VPN to an offsite hosted static IP for your outbound mail. Do no logging or storage at the offsite location.
I'm thinking more akin to everything to do with email on the VPS / VPN is purely L3 network tricks with no actual SMTP application layer process running on the VPS. Thus there wouldn't be any application to do logging. Granted I am assuming that people aren't logging NATed traffic.
Of course, if you're worried about search warrants, capturing traffic in flight is likely to be the means of interception rather than physical access to hardware located at your residence, so yes, maybe it's silly.
I agree for /current/ email, particularly inbound / outbound SMTP when best practice of STARTTLS isn't used. -- Client access protocols; SMTP, IMAP, HTTP, should be configured to *require* /authenticated/ *encryption*.
However, such traffic capturing doesn't do anything for the corpus of /historic/ email living on the mail server located in the home.
End-to-end strong encryption isn't really universal for email traffic between different end systems.
Sadly true.I've been a strong advocate of (fat) client based end-to-end email encryption for years. -- Yes, I practice what I preach everywhere that I can.
Even if it were, tracking the fact that the communication took place is trivial for three-letter agencies without visiting your residence even if the content is encrypted.
Agreed. Metadata is a real thing. But there are only so many steps that I can do as an end user / small email server operator to ensure my (users) safety. -- The outermost edge that I've found to be practical is to configure my MTA to require STARTTLS encryption when exchanging emails with specific sending / receiving domains that are known to support it.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
